[lustre-devel] [PATCH 09/12] lustre: llite: properly detect SELinux disabled case

James Simmons jsimmons at infradead.org
Sun Dec 12 07:08:00 PST 2021


From: Sebastien Buisson <sbuisson at ddn.com>

Usually, security_dentry_init_security() returns -EOPNOTSUPP when
SELinux is disabled. But on some kernels it returns 0 when SELinux
is disabled, and in this case the security context is empty.
So in both cases make sure the security context name is not set, which
means "SELinux is disabled" for the rest of the code.

WC-bug-id: https://jira.whamcloud.com/browse/LU-15184
Lustre-commit: 42661f7ba106b7d2e ("LU-15184 llite: properly detect SELinux disabled case")
Signed-off-by: Sebastien Buisson <sbuisson at ddn.com>
Reviewed-on: https://review.whamcloud.com/45501
Reviewed-by: Jian Yu <yujian at whamcloud.com>
Reviewed-by: Shaun Tancheff <shaun.tancheff at hpe.com>
Reviewed-by: John L. Hammond <jhammond at whamcloud.com>
Reviewed-by: Oleg Drokin <green at whamcloud.com>
Signed-off-by: James Simmons <jsimmons at infradead.org>
---
 fs/lustre/llite/xattr_security.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/fs/lustre/llite/xattr_security.c b/fs/lustre/llite/xattr_security.c
index e4fb64a..f14021d 100644
--- a/fs/lustre/llite/xattr_security.c
+++ b/fs/lustre/llite/xattr_security.c
@@ -60,7 +60,13 @@ int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name,
 
 	rc = security_dentry_init_security(dentry, mode, name, secctx,
 					   secctx_size);
-	if (rc == -EOPNOTSUPP)
+	/* Usually, security_dentry_init_security() returns -EOPNOTSUPP when
+	 * SELinux is disabled.
+	 * But on some kernels (e.g. rhel 8.5) it returns 0 when SELinux is
+	 * disabled, and in this case the security context is empty.
+	 */
+	if (rc == -EOPNOTSUPP || (rc == 0 && *secctx_size == 0))
+		/* do nothing */
 		return 0;
 	if (rc < 0)
 		return rc;
-- 
1.8.3.1



More information about the lustre-devel mailing list